THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
10-Feb-23 |
Initial Release |
Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
---|---|---|---|---|
NON-IOS |
SD-WAN Software Update |
19.1 |
19.1.0, 19.1.0a |
|
NON-IOS |
SD-WAN Software Update |
19.2 |
19.2.1, 19.2.2, 19.2.3, 19.2.4, 19.2.31, 19.2.32 |
|
NON-IOS |
SD-WAN Software Update |
19.3 |
19.3.0 |
|
NON-IOS |
SD-WAN Software Update |
20.1 |
20.1.1, 20.1.1.1, 20.1.2, 20.1.3, 20.1.12 |
|
NON-IOS |
SD-WAN Software Update |
20.3 |
20.3.1, 20.3.2, 20.3.2.1, 20.3.3, 20.3.3.1, 20.3.4, 20.3.4.1, 20.3.4.2, 20.3.5, 20.3.6 |
|
NON-IOS |
SD-WAN Software Update |
20.4 |
20.4.1, 20.4.1.1, 20.4.1.2, 20.4.2, 20.4.2.1, 20.4.2.2 |
|
NON-IOS |
SD-WAN Software Update |
20.5 |
20.5.1, 20.5.1.1, 20.5.1.2 |
|
NON-IOS |
SD-WAN Software Update |
20.6 |
20.6.1, 20.6.1.1, 20.6.2, 20.6.2.1, 20.6.2.2, 20.6.3, 20.6.3.1, 20.6.4 |
|
NON-IOS |
SD-WAN Software Update |
20.7 |
20.7.1, 20.7.1.1, 20.7.2 |
|
NON-IOS |
SD-WAN Software Update |
20.8 |
20.8.1 |
|
NON-IOS |
SD-WAN Software Update |
20.9 |
20.9.1, 20.9.1.1, 20.9.2, 20.9.2.1 |
|
NON-IOS |
SD-WAN Software Update |
20.10 |
20.10.1 |
Defect ID | Headline |
---|---|
CSCwd62789 | Digicert/Symantec Certification will be removed from 20.11 |
Beginning March 31, 2023, Cisco will no longer sponsor DigiCert (formerly Symantec) controller X.509 certificates for Cisco SD-WAN. After that date, Cisco will not approve DigiCert certificates to be signed and released. This includes certificate signing requests (CSRs) sent to DigiCert from vManage or manually submitted on the DigiCert portal. Existing Cisco SD-WAN DigiCert controller certificates will continue to be valid until those certificates expire. However, once those controller certificates expire, they cannot be renewed with new DigiCert certificates. Without valid certificates installed on the controllers, all Cisco SD-WAN control connections will fail.
Cisco SD-WAN provides multiple options to source and maintain the X.509 certificates used to authorize controller connections. One of those options relies on a Cisco sponsored DigiCert (formerly Symantec) certificate authority (CA) to sign and issue controller certificates. This option is available via the DigiCert Controller Certificate Authorization feature in vManage. After careful planning, we have determined the DigiCert Controller Certificate Authorization feature no longer aligns with our strategic direction for Cisco SD-WAN. We announced End of Support for this feature, effective March 31, 2023. Beginning March 31, 2023, we will no longer approve DigiCert CSRs to be signed and released.
End of Support for the DigiCert Controller Certificate Authorization feature is not caused by a specific software defect or change in the DigiCert CA. Nonetheless, if you currently use this feature, you will need to take action to migrate to a different controller certificate method before your current certificates expire. Follow the instructions in the Workaround/Solution section in order to avoid service disruption.
After March 31, 2023, if you open a Cisco Technical Assistance Center (TAC) case to have a DigiCert CSR approved, you will be advised that your request cannot be processed.
If your Cisco SD-WAN controllers are currently configured for DigiCert controller certificate authorization, you must switch to one of the other supported certificate methods. There are two options available.
Option 1. Migrate to Cisco Public Key Infrastructure (Preferred Approach)
The Cisco Public Key Infrastructure (PKI) option is available with SD-WAN Controller software version 19.2.3 and later. This option offers several advantages, which include:
"Generate CSR"
option in vManage.Consult the DigiCert Certificate to Cisco PKI Certificate Migration Guide for details on how to implement this option.
Option 2. Configure Cisco SD-WAN for Enterprise Certificates
If you prefer not to migrate to Cisco PKI or cannot meet the minimum software requirements, you can configure vManage to use Enterprise Certificates for controller certificate authorization. The Enterprise Certificates option provides the flexibility to source certificates directly from any commercial PKI provider such as DigiCert or from a private CA within your own organization. With Enterprise Certificates, you must purchase the controller certificates directly from a commercial PKI vendor (or internal private CA) and manually install them in Cisco SD-WAN.
Consult the "Enterprise Root Certificate Authority (CA)" chapter of the Cisco SD-WAN Controller Certificates and Authorized Serial Number File Prescriptive Deployment Guide for Enterprise Certificates configuration and operation instructions.
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance